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Abstract 



Type and effect systems are a tool to analyse statically the behaviour of programs with 
effects. We present a proof based on the so called reducibility candidates that a suitable 

■ stratification of the type and effect system entails the termination of the typable programs. 
^ 1 , The proof technique covers a simply typed, multi-threaded, call-by- value lambda-calculus, 

^ • equipped with a variety of scheduling (preemptive, cooperative) and interaction mccha- 

, nisms (references, channels, signals). 

Keywords Types and effects. Termination. Reducibility candidates. 

(N ' 

\^ • 1 Introduction 

l> ■ 

I In the framework of functional programs, the relationship between type systems and termi- 

nation has been extensively studied through the Curry-Howard correspondence. It would 
be interesting to extend these techniques to programs with effects. By effect we mean the 
Q^ I possibihty of executing operations that modify the state of a system such as reading/writing 

■ a reference or sending/receiving a message. 
Usual type systems as available, e.g., in various dialects of the ML programming language, 

^ \ are too poor to account for the behaviour of programs with effects. A better approximation 

;h ' is possible if one abstracts the state of a system in a certain number of regions and if the 



types account for the way programs act on such regions. So-called type and effect systems [8] 
are an interesting formalisation of this idea and have been successfully used to analyse stati- 
cally the problem of heap-memory deallocation [10]. On the other hand, the proof-theoretic 
foundations of such systems are largely unexplored. Only recently, it has been shown [3] 
that a stratification of the regions entails termination in a certain higher-order language with 
cooperative threads and references. Our purpose here is to revisit this result trying to clarify 
and extend both its scope and its proof technique (a more technical comparison is delayed to 
section HI). We refer to [3] for a tentative list of papers referring to a notion of stratification for 
programs with side effects. Perhaps the closest works in spirit are those that have adapted 
the reducibility candidates techniques to the vr-calculus [HI [9]. Those works exhibit type 
systems for the vr-calculus that guarantee the termination of the usual continuation passing 
style translations of typed functional languages into the vr-calculus. However, as pointed out 
by one of the authors of op.cit in [5], they are not very successful in handling state sensitive 
programs. The approach here is a bit different: one starts with a higher-order typed func- 
tional language which is known to be terminating and then one determines to what extent 
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side-effects can be added while preserving termination. Yet in another direction, we notice 
that a notion of region stratification has been used in [2] to guarantee the polynomial time 
reactivity of a first-order timed/synchronous language. 

We outline the contents of the paper. In section [21 we introduce a A-calculus with regions. 
Regions are an abstraction of dynamically generated values such as references, channels, and 
signals, and the reduction rules of the calculus are given in such a way that the reduction 
rules for references, channels, and signals can be simulated by those given for regions. In 
section [3l we describe a simple type and effect system along the lines of [8]. In this discipline, 
types carry information on the regions on which the evaluated expressions may read or write. 
The discipline allows to write in a region r values that have an effect on the region r itself. 
In turn, this allows to simulate recursive definitions and thus to produce non terminating 
behaviours. In section U following [3], we describe a stratification of the regions. The idea 
is that regions are ordered and that a value written in a region may only produce effects in 
smaller regions. We then propose a new reducibility candidates interpretation (see, e.g., [6] 
for a good survey) entailing the termination of typable programs. In section [5l we enrich 
the language with the possibility to generate new threads and to react to the termination of 
the computation. The language we consider is then timed/synchronous in the sense that a 
computation is regarded as a possibly infinite sequence of instants. An instant ends when the 
calculus cannot progress anymore (cf. timed/synchronous languages such as Timed CCS [7] 
and ESTEREL [4]). We extend the stratified typing rules to this language and show by means 
of a translation into the core language that typable programs terminate. We also show that a 
fixed-point combinator can be defined and typed so that recursive calls are allowed as long as 
they arise at a later instant. This differs from [3] where a fixed-point combinator is added to 
the language potentially compromising the termination property. Appendix |A] contains the 
main proofs and appendix iBl summarizes the type and effect systems considered. 

2 A A-calculus with regions 

We consider a A-calculus with regions. Regions are abstractions of dynamically generated 
'pointers' which, depending on the context, are called references, channels, or signals. Given 
a program with operators to generate dynamically values (such as ref in the ML language 
or u in the vr-calculus) , one may simply introduce a distinct region for every occurrence of 
such operators. This amounts to collapse all the 'pointers' generated by the operator at run 
time into one constant. The resulting language simulates the original one as long as the 
values written into regions do not erase those already there. In particular, termination for 
the language with regions entails termination for the original language. 

We notice that ordinary type system for programs with dynamic values perform a similar 
abstraction: all the values that are generated by an operator are assigned the same type. For 
instance, typing vx P in the vr-calculus will reduce to typing the process P in a context where 
the name x is associated with a suitable type A. In the corresponding language with regions, 
one will replace the name x with a region r and type [r/x\P {[r/x] is the substitution) in a 
region context where r is associated with A. 

To summarise, termination for the language with regions entails termination for the orig- 
inal calculi and moreover ordinary type system implicitly abstract dynamically generated 
values into regions. Therefore, we argue that one can carry on the main type theoretic argu- 
ments at the level of regions rather than at the more detailed level of dynamically generated 



2 



values. 



2.1 Syntax 

We consider the following syntactic categories: 



r,s, . 
e,e',, 
A :: = 
r ::= 
R :: = 
M 

V ::= 
v,v', 
S ::= 
X ::= 
P ::= 



1 I Reg^A II {A A A) 

X\ . Ai, . . . , Xn ■ An 

ri : Ai , . . . , : A^ 

= X I r I * I Xx.M II MM \ get{M) \ set(M, M) 
r II * II Xx.M 

{r^v)\S,S 

:M\S 

X\X,P 



(variables) 
(regions) 

(finite sets of regions) 

(types) 

(context) 

(region context) 

(terms) 

(values) 

(sets of value) 

(stores) 

(stores or terms) 
(programs) 



We briefly comment the notation: 1 is the terminal (unit) type with value *; Regj.A is the 
type of a region r containing values of type A; A B is the type of functions that when 
given a value of type A may produce a value of type B and an effect on the regions in e; get 
is the operator to read some value in a region and set is the operator to insert a value in a 
region. 

We write [N/x]M for the substitution of for a; in M. li R = ri : Ai, . . . ,rn '■ An then 
dom{R) = {ri, . . . ,r„,}. If r G dom{R) then we write R{r) for the type A such that r : A 
occurs in R. We also define the term reg^M as an abbreviation for {Xx.r){se.t{r,M)). Thus 
the difference between set(r, M) and reg^M is that in the first case we return * while in the 
second we return r. When writing a program P = Xi, . . . we regard the symbol ',' as 
associative and commutative, or equivalently we regard a program as a multi-set of terms and 
stores. We write (r <^= V) for (r <^ {^})- We shall identify the store (r <^ ui), (r <^ ^2) with 
the store (r <^ vi \Jv2). We denote with dom(S) the set of regions r such that (r <^= v) occurs 
in S and define S{r) as the set {V \ {r <^V) occurs in S}. 



2.2 Reduction 

A call-by value evaluation context E is defined as: 

E ■.:=[] II EM I VE \ get{E) \ set{E, M) \ set{V, E) 
An elementary evaluation context is defined as: 

M::=[]M||y[]||get([])|set([],M)||set(y,[]) 

^Incidentally, it seems much easier to produce denotational models of languages with regions than for the 
original languages with dynamic values so that one can hope to find models that do provide insight into the 
type systems. 



3 



An evaluation context can be regarded as the finite composition (possibly empty) of elemen- 
tary evaluation contexts. The reduction on programs is defined as follows: 



E[{Xx.M)V] E[[V/x]M] ^[get(r)], {r ^ V) ^ E[V], (r 4= V) 

P ^ P' 

E[setir,V)] E[*],{r 4= V) P,P" P',P" 

Note that the semantics of set amounts to add rather than to update a binding between a 
region and a value. Hence a region can be bound at the same time to several values (possibly 
infinitely many) and the semantics of get amounts to select non-deterministically one of them. 

As already mentioned, the notion of region is intended to simulate some familiar pro- 
gramming concepts such as references, channels, or signals. Specifically: (i) when writing a 
reference, we replace the previously written value (if any), (ii) when reading a (unordered, 
unbounded) channel we consume (remove from the store) the value read, and finally (iii) the 
values written in a signal persist within an instant and disappear at the end of ito One 
can easily formalise the reduction rules for references, channels, and signals, and check that 
(within an instant) each reduction step is simulated by at least one reduction step in the cal- 
culus with regions. Thus, typing disciplines that guarantee termination for the calculus with 
regions will guarantee the same property when adapted to references, channels, or signals. 



3 Types and effects: unstratified case 

We introduce a simple type and effect system along the lines of [8] . The following rules define 
when a region context R is compatible with a type A (judgement R I A): 

RiA RIB e C dom{R) r : A e R 



Ril Rl{A^B) Ri Reg^A 

The compatibility relation is just introduced to define when a region context is well formed 
(judgement R h) and when a type and effect is well-formed with respect to a region context 
(judgements Rh A and R h {A, e)). 

\/ r e dom{R) R i R{r) i?h RiA Rh A e <Z dom{R) 

RT 'rFA R h (A, e) 

A more informal way to express the condition is to say that a judgement ri : Ai, . . . ,rn : An h 
B is well formed provided that: (1) all the region names occurring in the types Ai, . . . , An, B 
belong to the set {ri, . . . , r„} and (2) all types of the shape Reg^^C with i G {1, . . . , n} and 
occurring in the types Ai, . . . , An, B are such that C = A^. For instance, the reader may verify 

that r : 1 1 h Reg^l 1 can be derived while n : Reg^^{l 1),'^2 : 1 -^—^ 1 h 

cannot. Also it can be easily checked that the following properties hold: 

i? h 1 iff i? h 

R h Reg^^ iff i? h and R{r) = A 

RhA-^B iff Rh,Rh A, Rh B, and e <Z dom{R) 

R\- iff yredom{R)RhR{r) 



■^Signals arise in timed/synchronous models where the computation is regulated by a notion of instant or 
phase (see section O. 
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The subset relation on effects induces a subtyping relation on types and on pairs of types and 
effects which is defined as follows (judgements R\- A < A' , R h (^4, e) < {A', e')): 



Rh A' <A Rh B <B' Rh A<A' 

e C C domjR) e Q e' C dom{R) 

- R^^A^B)<{A' ^B') R^{A,e)< {A\ e') 

We notice that the transitivity rule: 

Rh A<B Rh B <C 
R\- A<C 

can be derived via a simple induction on the height of the proofs. The subtyping rule trades 
flexibility against precision of the type system. For instance, suppose Ai = 1 1 and 
^2 = 1 ^ 1 and we want to define the type B of the functionals that take a value Vi of 
type Ai and a value V2 of type A2 and compute either Vi* or V2*. We can define B = 

A\ {A2 '^^^'^^> 1). The reader can check that both \x.\y.x* and Xx.Xy.y* have type 
B provided the subtyping rule is used. Incidentally, we note that [3] seems to 'forget' the 
subtyping rule. While there are is no particular problems to provide a reducibility candidates 
interpretation for this rule, we notice that without it the following diverging ML expression 
let / = ref(Ax.x) in I := Xx.\lx;U{), which is given in op.cit. to motivate the stratification 
of regions does not type already in the ordinary unstratified type and effect system because 

{Xx.x) has type 1-^1 but not 1 ^— ^ 1 where r is the region associated with the reference /. 

We now turn to the typing rules for the terms. We shall write R\- xi : Ai, . . . ,x : An if 
R h and R h A/ for i = 1, . . . ,n. Note that in the following rules we always refer to the same 
region context R. 

RhV x:AeT RhT r : A e R RhT 



i2;rhx:(A,0) i?; T h r : (Reg^A, 0) i?;rh*:(l,0) 

R;T,x : Ah M : {B,e) R;T h M : {A ^ B,ei) i?; T H iV : (A, 63) 



R-ri- Xx.M : (A A B, 0) R-TV- MN : {B, ei U 62 U eg) 

R-Th M : (Reg^A,e) i?; T h M : (Reg,.A, ei) i?; T h iV : (A, ea) 

i?; r h get(A/) ■.{A,eU {r}) R;T h set(M, N) : (1, ei U 62 U {r}) 

R;rhM:{A,e) R h {A, e) < {A' , e') 
R;Th M : {A',e') 

Finally, we extend the typing rules to stores and general multi-threaded programs. To this 
end, it is convenient to introduce a constant behaviour type B which is the type we give 
to multi-sets of threads and/or stores which are not supposed to return a value but just to 
interact via side-effects. We will use a, a' , . . . to denote either an ordinary type A or this new 
behaviour type B. 

r:A£R y V e v R^T h V : (A,^) R-^T h Xj : {ai,ei) i = l,...,n>l 

R;Th{r^v): (B,0) i?; F h Xi, . . . , X„ : (B, ei U • • • U e^) 
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Remark 1 The derived typing rule for reg^M is as follows: 

r:A£R R;T h M : {A,e) 
R;Th reg,.M : {Reg^A, e U {r}) 

One can derive a more traditional 'effect-free' type system by erasing all the effects from 
the types and the typing judgements. Note that in the resulting system the subtyping rules 
are useless. We shall write h*^-^ for provability in this system. This 'weaker' type system 
suffices to state a decomposition property of the terms which is proven by induction on the 
structure of the term. 

Proposition 2 (decomposition) If R;\-'^^ M : A is a well-typed closed term then exactly 
one of the following situations arises where E is an evaluation context: 

1. M is a value. 

2. M = £'[A] and A has the shape {\x.N)V , set(r, V), or get(r). 
3.1 Basic properties of typing and evaluation 

We observe some basic properties: (i) one can weaken both the type and region contexts, (ii) 
typing is preserved when we replace a variable with an effect-free term of the same type, and 
(iii) typing is preserved by reduction. If S is a store and e is a set of regions then 5|g is the 
store S restricted to the regions in e. 

Proposition 3 (basic properties, unstratified) The following properties hold: 

weakening If R;T h M : {A, e) and R, R' h T, T' then R, R'; T, T' h M : {A, e). 

substitution If R;T ,x : A'r M : [B, e) and R;T h N : {A, 0) then R;T h [N/x]M : {B, e) . 

subject reduction Let M denote a sequence Mi, . . . , // R, R'; h M, S : (B, e), R\- e, 
andM,S M',S' thenR,R';h M',S' : (B,e), S\dom{R') = S\^om{R')' "■'^dM, S\dom{R) - 
'^'^^\dom{R)- Moreover, if M = M and R,R' \- M : {A,e) then M' = M' and 
R,R'hM' : {A,e). 

The weakening and substitution properties are shown directly by induction on the proof 
height. Concerning subject reduction, it is useful to notice that if a term M, of type and 
effect {A,e), is ready to read/write the region r then r € e. This follows from an analysis of 
the evaluation context. Then we prove the assertion by case analysis on the reduction rule 
applied, relying on the substitution property. 

Remark 4 The subject reduction property is formulated so as to make clear that the type 
and effect system indeed delimits the interactions a term may have with the store. Note that 
a term may refer to regions which are not explicitly mentioned in its type and effect. For 

instance, consider M = {Xf.*){Xx.get{r)x) and let R = r : 1 ^ 1. Then R;% \- M : (1,0), 
h (1,0) hut 0; 1/ M : (1, 0). The subject reduction property guarantees that such a term 
will only read/write regions included in the region context needed to type its type and effect. 
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3.2 Recursion 

In our (unstratified) calculus, we can write in a region r a functional value Xx.M where M 
reads from the region r itself. For instance, regj,(Ax.(get(r))x). 

This kind of circularity leads to diverging computations such as: 

get(reg^Aa;.get(r)x)* get(r)*, (r Ax.get(r)2;) 

(Ax.get(r)x)*, (r <^ Ax.get(r)x) get(r)*, (r <^ Ax.get(r)a;) ^ • • • 

It is well known that this phenomena can be exploited to simulate recursive definitions. 
Specifically, we define: 

fix^/.M = A2;.(get(reg^(Ax.[Ax.get(r)x//]M x))) x (1) 

By a direct application of the typing rules and proposition [3|^substitution), one can derive a 
rule to type fix^/.M. 

Proposition 5 (type fixed-point) The following typing rule for the fixed point combinator 
is derived: 

r : A-^ B eR rGe 
R;r, f : A ^ B h M : (A ^ B,^) (2) 
R;Th r\Xrf.M : {A 5,0) 

For a concrete example, assume basic operators on the integer type and let M be the 
factorial function: 

M = Ax. if X = then 1 else x * /(x — 1) . 
Then compute (fix^/.M)!. In this case we have e = {r} and r : int int G R. 

4 Types and effects: stratified case 

As we have seen, an unstratified simply typed calculus with effects may produce diverging 
computations. To avoid this, a natural idea proposed by G. Boudol in [3] is to stratify regions. 

Intuitively, we fix a well-founded order on regions and we make sure that values stored 
in a region r can only produce effects on smaller regions. For instance, suppose y is a value 

{r} 

with type (1 > 1). Intuitively, this means that when applied to an argument U : 1, V may 

produce an effect on region {r}. Then the value V can only be stored in regions larger than 
r. We shall see that this stratification allows for an inductive definition of the values that can 
be stored in a given region. 

The only change in the type system concerns the judgements Rh, R\- A, and R h {A, e) 
whose rules are redefined as follows: 

R'r A r^dom{R) Rh 



0h R,r : Ah Rhl 

R\- r :AeR Rh A Rh B eC dom{R) Rh A e C dom{R) 

R h Reg^A RhA^B R\- {A,e) 
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Proviso Henceforth we shall use h to refer to provability in the stratified system and 
for provability in the unstratified one. The former implies the latter since R h implies R h" 
and R\- A implies R A, while the other rules are unchanged. 

4.1 Basic properties revisited 

The main properties we have proven for the unstratified system can be specialised to the 
stratified one. 

Proposition 6 (basic properties, stratified) The following properties hold in the strati- 
fied system. 

weakening If R;T h M : {A, e) and R, R' h T, V then R, R'; T, T' h M : {A, e). 

substitution If R;T,x : Ah M : {B,e) and R;T h N : (yl, 0) then R;T h [N/x]M : {B,e). 

subject reduction If R,R';h M, S : (B,e), i? h e, and M, S ^ M',S' then R,R';h 
M',5" : (B,e), S\dom{R') = S'^om{R')' '^'^d M, S\dom(R) ^'^S'^dom{R)- Moreover, if 
M = M and R, R';h M : {A, e) then M' = M' and R, R'; h M' : {A, e). 

4.2 Interpretation 

We describe a reducibility candidates interpretation that entails that typed programs termi- 
nate. We denote with SN the collection of strongly normalising single-threaded programs, 
i.e., the programs of the shape M,S such that all reduction sequences terminate. We write 
(M, S) ^ {N, S') if M, S ^N,S' and N, S' y^. We write R' > R, and say that R' extends R, 
if R' h and R' = R, R" for some R" . 

The starting idea is that the interpretation of -R K is a set of stores and the interpretation 
of i? h {A, e) is a set of terms. One difficulty is that the stores and the terms may depend on 
a region context R' which extends R. We get around this problem, by making the context R' 
explicit in the interpretation. Then the interpretation can be given directly by induction on 
the provability of the judgements R h and R h {A,e). This is a notable simplification with 
respect to the approach taken in [3] where a rather ad hoc well-founded order on judgements 
is introduced to define the interpretation. 

A second characteristic of our approach is that the properties a thread must satisfy are 
specified with respect to a 'saturated' store which intuitively already contains all the values 
the thread may write into it. This approach simplifies the interpretation and provides a 
simple argument to extend the termination argument from single-threaded to multi-threaded 
programs. Indeed, if we a have a set of threads which are guaranteed to terminate with 
respect to a saturated store then their parallel composition will terminate too. To see this, 
one can reason by contradiction: if the parallel composition diverges then one thread must 
run infinitely often and, since the threads cannot modify the saturated store (what they write 
is already there), this contradicts the hypothesis that all the threads taken alone with the 
saturated store terminate. 

Finally, minor technical differences with respect to [3] is that we interpret the subtyping 
rule (cf. discussion in section [3]) and that our notion of reducibility candidate follows Girard 
rather than Stenlund-Tait (see [6] for a detailed comparison and references). 
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Region-context Let R = ri : Ai,...,r„ : An and Rr^ = ri : Ai,...,rj_i : for 
i = 1, . . . ,n. We interpret a region-context i? as a set of pairs R' \- S where R' is a 
region-context which extends R and S is a 'saturated' store whose domain coincides 
with R: 

R = { R' \- S \ R' > R, dom{S) = dom{R), and for i = 1, . . . , n 
S{n) = {V\R'hV Rr, h {Ai,$) } } 

U R' > R then R{R') is defined as the store S such that R' \- S £ R. Note that, for 
r G dom{R) and R = Ri,r: A,R2, V G R{R'){r) means i?' h F G h (A,0) . 

Type and effect We interpret a type and effect R h e) as the set of pairs R' \- M such 
that R! extends i?, and M is a closed term typable with respect to R' and satisfying 
suitable properties (1-3 below): 

R^{A,e) = {R'^M\ (1) R'>R, R';^ h M : {A, e), 

(2) for ah R" > R' M,R{R") G SN, and 

(3) for all M', S', R" > R' {M,R{R")) ^ (M', S') 

imphes S' = R{R") and C(^, R, R", M') } 

where: C{A, R, R" , M') = 

{A = l D M' = *) A 

(A = Reg^B D M' = r) A 

{A = Ai^A2 D M' = Xx.N A 

for all iZi > R'\ i?i h F G h (Ai, 0) 



implies iii h M'F G ii K (yls, e') 



Suppose R = ri : Ai,...,rn ■ An- We note that the interpretation of R depends on 
the interpretation of ri : ^41, . . . ,ri_i : Ai-i h Ai for i = 1, . . . ,n and the interpretation of 

R h {A, e) depends on the interpretation of R and, when A = Ai ^ A2, on the interpretation 
of i? h (^1, 0) and R h {A2, e'). It is easily verified that the definition of the interpretation is 
well founded by considering as measure the height of the proof of the interpreted judgement. 
We also note that such a well-founded definition would not be possible in the unstratified 
system. For instance, the interpretation of r : A \- {A, 0) where A = 1 ^ 1 should refer 
to a store containing values of type A. Finally, we stress that the interpretations of R and 
R h {A, e) actually contain terms typable in an extension R' of R but that their properties 
are stated with respect to a store whose domain is dom{R). This is possible because the type 
and effect system does indeed delimit the effects a term may have when it is executed (cf. 
remark . 

4.3 Basic properties of the interpretation 

We say that a term M is neutral if it is not a A-abstraction. The following proposition 
lists some basic properties of the interpretation. Similar properties arise in the reducibility 
candidates interpretations used for 'pure' functional languages, but the main point here is that 
we have to state them relatively to suitable stores. In particular, the extension/restriction 
property, which is perhaps less familiar, is crucial to prove the following soundness theorem 

El 
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Proposition 7 (properties interpretation) The following properties hold. 

Weakening // R" > R' > R, R h {A,e), and R' h M e R h {A,e) then R" h Af G 
Rh{A,e) . 

Extension/Restriction Suppose R" > R' > R and Rh {A, e). Then R" h M e Rh {A, e) 
if and only if R" h M G R' h (A,e) . 

Subtyping // i? h {A, e) < {A', e') then R h {A,e) C R h {A\e') . 

Strong normalisation If R' h M G RV- (A, e) and R" > R' then M,R{R") G SN . 

Reduction closure If R' h M G R h {A,e) , R" > R' , and M,R{R") M',S' then R" h 
M' G RV- (A,e) and S' = R{R^. 

Non-emptiness If R\- A then there is a value V such that for all R' > R and e C dom{R), 
R'hV € Rh{A,e) . 

Expansion closure Suppose R h {A, e), R' > R, R'; h M : {A, e), and M is neutral. Then 
R'h M e R h {A, e) provided that for all R" > R', M', S' such that M, R{R") M', S' 
we have that R" h M' G i? h (A, e) and S' = R{R"). 

Proof hint. 

Weakening We rely on proposition[6l[^ (syntactic) weakening) and the fact that, the properties 
the pairs R' \- M must satisfy to belong to i? h [A, e), must hold for all the extensions 
R" > R'. 

Extension/Restriction By definition, R{R") coincides with R!_{R") on dom{R). On the 
other hand, the proposition [6l|subject reduction) guarantees that the reduction of a 
term of type and effect (A, e) will not depend and will not affect the part of the store 
whose domain is dom{R')\dom{R). We then prove the property by induction on the 
structure of the type A. 

Subtyping This is proven by induction on the the proof oi Rh A < A'. 

Strong normalisation This follows immediately from the definition of the interpretation. 

Reduction closure We know that M,R{R") must normalise to a value satisfying suitable 
properties and the same saturated store R{R"). Moreover, we know that the store can 
only grow during the reduction. We conclude applying the weakening property. 

Non-emptiness/Expansion closure These two properties are proven at once, by induc- 
tion on the proof height of i? h {A, e). We take as values: * for the type 1, r for a type 
of the shape Reg^i?, and the 'constant function' XX.V2 for a type of the shape Ai ^ A2 
where V2 is the value inductively built for A2. To prove XX.V2 £Rh{Ai ^ A2,e), we 
use the inductive hypothesis of expansion closure of i? h {A2, ei). □ 
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4.4 Soundness of the interpretation 

By definition, if i? h M € i? h {A, e) then R;\- M : {A, e). We are going to show that the 
converse holds too. First we need to generahse the notion of reducibihty to open terms. 

Definition 8 (term interpretation) We write R;xi : Ai,...,Xn : An \= M : {B,e) if 
whenever R' > R and R' \- Vi € R\- (^i, 0) fori = 1, . . . ,n we have that R' \- [Vi/xi, . . . , Vn/xn]M e 
Rh {B,e) . 

As usual, the main result can be stated as the soundness of the interpretation with respect 
to the typing rules. Since terms in the interpretation are strongly normalising relatively to 
a saturated store (cf. proposition [7]), it follows that typable (closed) terms are strongly 
normalising. 

Theorem 9 (soundness) If R;T \- M : {B,e) then R;T ^ M : {B,e). 

Proof hint. The proof goes by induction on the typing of the terms and exploits the 
properties of the interpretation stated in proposition [71 As usual, the case of the abstraction 
is proven by appealing to expansion closure and the case of application follows from the very 
interpretation of the functional types and reduction closure. The cases where we write or 
read from the store have to be handled with some care. We discuss a simplified situation. 
Suppose R' >R = Ri,r : A, R2. 

w^rite Suppose R;\- set{r,V) : (l,{r}) is derived from R;\- V : (A, 0). Then, by induction 
hypothesis, we know that R' \- V € R\- {A, 0). However, for maintaining the invariant 
that the saturated store is unchanged, we need to show that h y € i?i h {A, 0), and 
this is indeed the case thanks to proposition [Tl^restriction). 

read Suppose we have R'; h get(r) : (^4, {r}). Now notice that proposition [Tl^non-emptiness) 
guarantees that R{R'){r) is not empty. Thus get{r), R{R') will reduce to V,R{R') for 
some value V such that R' \- V (z Ri\- {A, 0). However, what we need to show is that 
R' \- V £ R\- {A, 0) and this is indeed the case thanks to proposition [T]^ extension) . □ 

Corollary 10 (termination) (1) The judgement R;\- M : {A,e) is provable if and only if 
Rh M e Rh- {A,e) . 

(2) Every typable multi-threaded program R; h Mi, . . . , : (B, e) terminates. 

Corollary 110(1). follows from theorem [9] taking the context T to be empty. Corollaryll0(2) 
follows from the fact that each thread strongly normalizes with respect to a saturated store. 
Then its execution is not affected by the execution of other threads in parallel: all these 
parallel threads could do is to write in the saturated store values which are already there. 

5 Extensions 

In this section we sketch two extensions of our basic model. The first simple one (section lS.ip 
concerns the possibility of generating dynamically new threads while the second (section 15. 2p 
is a bit more involved and it concerns the notion of timed/synchronous computation. 
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5.1 Thread generation 

In the presented system, the number of threads is constant. We describe a simple extension 
that ahows to generate new threads during the execution. Namely, (1) we regard a multi-set 
of terms Mi, . . . , M„ as a term of behaviour type B and (2) we abstract terms of behaviour 
type B producing terms of type {A B) for some type A, e (this formalisation is inspired by 
[T](chpt. 16)). It is straightforward to extend the rules for the formation of region contexts 
and types and for subtyping to take into account the behaviour type B. Similarly, the typing 
rules for abstraction and application are extended to take into account the situation where 
the codomain of the functional space is B. The full definition of this system is given in 
appendix [BJ In this extended system, we can then type, e.g., a term that after performing 
an input will start two threads in parallel: {Xx.{M, N))get{r) which would be written in, say, 
the vr-calculus as r{x).{M \ N). 

In order to show termination of this extended language, we have to define the interpre- 
tation of the judgement R h (B,e). To this end, it is enough to extend the definition in 
section 132] by requiring that a term in R l- (B, e) when run in the saturated store will indeed 
terminate without modifying the store and produce a multi-set of values. Formally, we add 
the condition 'A = B D M' = Vi, . . . , Vn,n > V to the definition of the predicate C. We can 
then lift our results to this system leaving the structure of the proofs unchanged. 

5.2 Synchrony /Time 

We consider a timed/synchronous extension of our language. Following an established tra- 
dition, we consider that the computation is divided into instants and that an instant ends 
when the computation cannot progress. Then we need at least an additional operator that 
allows to write programs that react to the end of the instant by changing their state in the 
following instant. We shall see that the termination of the typable programs can be obtained 
by mapping reductions in the extended language into reductions in the core language. 

Syntax and Reduction We extend the collection of terms as follows: M ::=■■■ \ M > M, 
where the operator else-next, written M > N, tries to run M and, if it fails, runs N in the 
following instant (cf. [^). We extend the evaluation contexts assuming: E ::=■■■ \ E f> M, 
and the elementary evaluation contexts assuming: El ::= • • • | [ ] > M. 

We define a simplification operator red that removes from a context all pending branches 
else- next: 

f [] iiE=[] 
red{E) = I red{E') if E = E' > N 

[ El[red{E')] otherwise, if E = El[E'\ 

We say that an evaluation context E is time insensitive if red{E) = E. We adapt the reduction 
rules defined in section [2] as follows: 

E[{Xx.M)V] red{E)[[V/x]M] 
^[get(r)], {r ^V) red{E)[V], (r <= V) 

E[5et{r, V)] red{E)[*], {r ^ V) . 

Further, we have to describe how a program reacts to the end of the computation. This is 
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tick 

specified by the relation > below: 

M = E[get{r)] E time insensitive 
V^V S^S M^M 

M = E\E'[/S\ t>N\ A ::= 1/ I get(r) 
E time insensitive 

M ^ E[N] 

For instance, we can write (Ax.M)get(r) > N for a thread that tries to read a value from the 
region r in the first instant and if it fails it resumes the computation with N in the following 
instant. We can also write * i> for a thread that (unconditionally) stops its computation 
for the current instant and resumes it with N in the following instant. 

tick 

Note that P ^ only if P The converse is in general false, but it holds for well-typed 
closed programs (cf. proposition I13p . Thus for well- typed closed programs the principle is 

that time passes (a transition is possible) exactly when the computation cannot progress 
(a — > transition is impossible). Then termination is obviously a very desirable property of 
timed/synchronous programs. 

Typing The typing rules for the terms are extended as follows: 

■R;rhM:(A,e) R;T h N : {A,e') 

R]Th M>N : {A,e) ' 

Note that in typing M > we only record the effect of the term M, that is we focus on the 
effects a term may produce in the first instant while neglecting those that may be produced 
at later instants. 

Reduction The decomposition proposition [2] can be lifted to the extended language. There 
is a third case to be considered besides the two arising in proposition [2] which corresponds to 
the situation where the redex is under the scope of an else-next. More precisely, in the third 
case a closed term M is decomposed as ii'[£"[A] \>N] where E' is a time insensitive evaluation 
context and A has the shape V, {\x.N)V, set(r, F), or get(r). 

Focusing on the stratified case, one can adapt the weakening, substitution, and subject 
reduction properties whose proofs proceed as in proposition [6l The preservation of the type 
information by the passage of time (tick reduction) can be stated as follows. 

If i?; K M, 5 : (B, e), and M, 5 ^ M', S' then S = S' and there is an effect e' 
such that R- K M', S* : (B, e'). 

Notice that the effect of the reduced term might be incomparable with the effect of the term 
to be reduced. Still the following context substitution property allows to conclude that the 
resulting term is well-typed. 

If i?;r,x : A\- E[x\ : {B,e) where x is not free in the evaluation context E and 
R;Th N : {A,e') then R;T h E[N] : {B,eUe'). 



P.^Pl i = l,2 
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Translation We consider a translation that removes the else-next operator while preserving 
typing and reduction. Namely, we define a function (_) on terms such that {M \> N) = (M) , 
(x) = X, {*) = *, (r) = r, and which commutes with the other operators (abstraction, 
application, reading, and writing). Also the translation is extended to stores and programs 
in the obvious way: ((r <= V)) = (r ^ {V)), {Xi, . . . = (Xi), . . . , 

Proposition 11 (simulation) (1) If R;T M : {A,e) then i?; T h (M) : {A,e). 

(2) IfR-T^P: (B, e) then R-TV- {P) : (B, e). 

(3) IfR;hP: (B, e) and P ^ P' then {P) {P'). 

(4) A program P terminates if (P) terminates. 

The proof of this proposition is direct. In particular, to prove (3) we show that the 
translation commutes with the substitution and that the translation of an evaluation context 
is again an evaluation context. 



Fixed-point, revisited The typing rule ([2]) proposed for the fixed-point combinator cannot 
be applied in the stratified system as the condition r : A B G R and r G e cannot be 
satisfied. However, we can still type recursive calls that happen in a later instant. 

Proposition 12 (type fixed-point, revisited) The following typing rule for the fixed point 
combinator is derived in the stratified system 

R-r,f : A^^^ Bh M : {A^ B,$) r : A ^ B € R 
i?; r h VtXrf.M : {A B, 0) 

We prove this proposition by a direct application of the typing rules and the substitution 
property (cf. proposition [T^ . To see a concrete example where the rule can be applied, 
consider a thread that at each instant writes an integer in a region r' (we assume a basic type 
int of integers) : 

M = Xx.{\z. * >f{x + l))(set(r', x)) 

Then, e.g., {f'\Xrf.M)l is the infinite behaviour that at the i-th instant writes i in region r'. 
One can check the typability of fix^/.M taking as (stratified) region context R = r' : int, r : 

int ^ ^ > 1. 



6 Conclusion 

We have introduced a A-calculus with regions as an abstraction of a variety of concrete 
higher-order concurrent languages with specific scheduling and interaction mechanisms. We 
have described a stratified type and effect system and provided a new reducibility candidates 
interpretation for it which entails that typable programs terminate. 

We have highlighted some relevant properties of the interpretation (proposition [7]) which 
could be taken as the basis for an abstract definition of reducibility candidate. The latter is 
needed to interpret second-order (polymorphic) types (see, e.g., [6]). We believe the proposed 
proof is both more general because it applies to a variety of interaction mechanisms and 
scheduling policies and simpler to understand because the interpretation is given by a direct 
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induction on the proof system and because the invariant on the store is easier to manage (the 
store is not affected by the reduction). This is of course a subjective opinion and the reader 
who masters [3] may well find our revised treatment superfluous. 

We have also lifted our approach to a timed/synchronous framework and derived a form 
of recursive definition which is useful to define behaviours spanning infinitely many instants. 

In ongoing work, we have refined the type and effect system to include linear information 
(in the sense of linear logic) which is relevant both to define deterministic fragments of the 
calculus and to control better the complexity of the definable programs. 

Acknowledgements Thanks to Gerard Boudol for several discussions on [3]. 
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A Proofs 



A.l Proof of proposition [2] (decomposition) 

By induction on the structure of M. By the typing hypothesis, M cannot be a variable. If 
M is a value we are in case 1. Otherwise, M can have exactly one of the following shapes: 
M1M2, get(Mi), set(Mi,M2). We consider in some detail the case for application. 

The typing rules force Mi and M2 to be typable in an empty context. Moreover Mi 
must have a functional type. Because of this, if Mi is a value then it must be of the shape 
\x.M[. Moreover, we can apply the inductive hypothesis to M2 and suitably compose with 
the evaluation context Mi[ ]. If Mi is not a value then we apply the inductive hypothesis to 
Ml and suitably compose with the evaluation context [ ]M2. □ 

A. 2 Proof of proposition [3] (basic properties, unstratified) 

Weakening First prove by induction on the proof height that if i?, R' h and R\- A, (R \- 
{A,e), Rh A< B) then R,R'h A {R, R' h {A, e), R, R' h A < B). Next, by induction 
on the proof height, we show how to transform a proof R;T h M : {A, e) into a proof of 
R,R';T,T' h M : {A,e). □ 

Substitution By induction on the proof height oi R;T,x : A\- M : (B, e). 

Subject reduction First we notice that if a term M, of type and effect (^, e), is ready to 
interact with the store then the region on which the interaction takes place belongs 
to e. More formally, if h M : (^, e), M = E[A\ and A has the shape get(r) or 
set(r, V) then r G e. To prove these facts we proceed by induction on the structure of 
the evaluation context E. Then we prove the assertion by case analysis on the reduction 
rule applied relying on the substitution property. □ 

A. 3 Proof of proposition [5] (type fixed-point) 

Suppose r : A B ^ R and r G e. Then R;\- Xx.get{r)x : {A B,%). By proposition 
El^substitution), R]T ^ M' : {A B,%) where M' = [Ax.get(r)x//]M. From this we derive: 
R]T V- M" : {A -> B,{r}) where M" = get(reg^Ax.M'x). This judgement can be weakened 
to R;T,x : A \- M" : {A B,{r}) which combined with R;T,x : A \- x : {A,9) leads to 
R;T\- \x.M"x : (A-^ B, ill) where Xx.M"x = fix,./.M, as required. □ 

A. 4 Proof of proposition [7] (properties interpretation) 

Weakening Suppose R" > R' > R and R' h M e Rh {A, e). Then R'; h M : {A, e) and 
by proposition [6|^ weakening) we know that R"; h M : (A, e). Moreover, an inspection 
of the definition of h (A, e) reveals that if we take a R'" > R" then the required 
properties are automatically satisfied because R'" > R' and R' h M G i? h (A, e). 

Extension/Restriction Suppose R" > R' > R and R h {A, e). We want to show that: 

R!' h M G R h {A, e) iff R" h M £ R! V- {A, e) . 

Note that Rf_{R") coincides with R{R") on dom(R). On the other hand, the proposition 
[6)[subject reduction) guarantees that the reduction of a term of type and effect (^4, e) will 
not depend and will not affect the part of the store whose domain is dom{R')\dom{R) . 
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We proceed by induction on the structure of the type A. 

Suppose A = 1. If R" h M G i? h {A, e) then we know that for any Ri > R" we have 
that M,R[Ri) strongly normahzes to *^R{Ri)- By applying subject reduction, we can 
conclude that M,R^{Ri) will also strongly normalize to *,Rl_{Ri)- A similar argument 
applies if we start with R" \- M £ R' \- (A, e). Also, this proof schema can be repeated 
if A= Reg^B. 

Suppose now A = Ai-^A2. U R" h M £ Rh {A, e) then we know that for any Ri > 
R" , M,R(Ri) strongly normalizes to Xx.N, R{Ri), for some Xx.N. Moreover for any 
R2>Ri, we have that i?2 H F G fih (^i,0) imphes R2 h {\x.N)V G R h (^2,61) . By 
applying subject reduction, we can conclude that M,R!_{Ri) will also strongly normalize 
to (Xx.N), Rf_[Ri), for some value Xx.N. Further, by induction hypothesis on A, if 
R2 > Ri and i?2 h y G R' h (^1,0) then R2 h {Xx.N)V G R' h (^2,ei) . 

Again, a similar argument applies if we start with R" h M G i?' h {A, e) . 

Subtyping Suppose R h {A, e) < {A' , e'). We proceed by induction on the proof of R\- A < 
A'. 

Suppose we use the axiom R \- A < A and i?' h M G i? h e). Then we check 
that i?' h M G -R h (A, e') since i?'; h M : {A, e') using the subtyping rule, and the 
remaining conditions do not depend on e or e'. 

Suppose we have A = Ai A2, A' = A[ A2, and we derive R \- A < A' from 
R\- A[ < Ai, R\- A2 < A'2, and ei C e[. Moreover, suppose R' h M e Rh {A,e). 
Then i?';0 h M : {A',e'), by the subtyping rule. Moreover, if R" > R' and M,R{R') 
reduces to Xx.N, R{R"), we can use the induction hypothesis to show that if Ri > R" 
and RihV £ Rh {A[,^) then Ri h {Xx.N)V G Rh{A'2,e[) . 

Strong normalisation This follows immediately from the definition of i? h {A,e). 

Reduction closure Suppose R' \- M £ R\- {A,e) and R" > R' . We know that M,R{R") 
strongly normalizes to programs of the shape M" , R{R") where M" has suitable prop- 
erties. Then if M,R{R") reduces to M',S' it must be that S' = R{R") since the 
store can only grow. Moreover, by proposition [Gjsubject reduction), we know that 
i?";0 h M' : (^, e). It remains to check conditions (2) and (3) of the interpreta- 
tion on R" h M'. Let R'" > R". We claim M,R{R"') reduces to M',R{R"') so 
that M' inherits from M the conditions (2) and (3). To check the claim, recall that 
M,R{R") reduces to M' , R{R"). Then we analyse the type of reduction performed. 
The interesting case arises when M reads a value V from the store R{R") where, say, 
R" h V G -Ri h (i?,0) and R = Ri,r : B,R2. But then we can apply weakening to 
conclude that R'" H F G Ri h (^,0) . 

Non-emptiness/Expansion closure We prove the two properties at once, by induction 
on the proof height of i? h (A, e). 

• Suppose R h (l,e). We take V = *. Then for R' > R we have i?';0 h * : (l,e). 
Also, for any R" > R' , *,R{R") converges to itself and satisfies the required 
properties. Therefore i?' h * G i? h (1, e). 
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This settles non-emptiness. To check expansion closure, suppose R' > R, R'; h 
M : (l,e), and R" > R' . By the decomposition proposition [21 M is either a value 
or a term of the shape E[A] where A is a redex. 

If M,R{R") does not reduce then M must be the value *. Indeed, by the typing 
hypothesis it cannot be a region or an abstraction. Also, it cannot be of the shape 
£'[get(r)]. Indeed, suppose R = Ri,r : B,R2, then by induction hypothesis on 
i?i h {B, 0), we know that the store R{R") contains at least a value in the region 
r . 

If M,R{R") does reduce then, by hypothesis, for all M', S' such that M,R{R") 
M',S' we have that R" h M' belongs to R h {A,e) and S' = R{R"). This is 
enough to check the conditions (2) and (3) of the interpretation and conclude that 
R"r M belongs to fih (A,e) . 

• The other basic case is h (Reg,^i?,e). Then we take as value V = r and we 
reason as in the previous case. 

• Finally, suppose R h {Ai ^ A2,e). By induction hypothesis on R \- (^2,61), 
we know that there is a value V2 such that for any R' > R we have R' \- V2 

R h {A2, ei). Then we claim that: 

R' h XX.V2 G Rh {Ai ^A2,e) . 

First, R';\- XX.V2 : (^1 A2,e) is easily derived from the hypothesis that R';\- 
V2 '■ (^2)61). The second property of the interpretation is trivially fulfilled since 
\x.V2 cannot reduce. For the third property, suppose Ri > R" > R' and Ri h 
V € R\- (^1,0). We have to check that Ri h {Xx.V2)V belongs to Rh (^2,ei). 
We observe that Ri;\- {Xx.V2)V : (^2,61), and the term {Xx.V2)V is neutral. 
Moreover, for R2 > Ri, {Xx .V2)V, R{R2) V2,R{R2)- Thus we are in the situation 
to apply the inductive hypothesis of expansion closure on R\- {A2, ei). 
This settles non-emptiness at higher-order. To check expansion closure, suppose 
R' > R, R';\- M : (^i A2,e), and M neutral. Then M cannot be a value 
and for any R" > R' the program M,R(R") must reduce. Indeed, M cannot be 
stuck on a read because if r € dom{R) then we know, by inductive hypothesis, 
that R{R"){r) is not-empty. Then we conclude that R' h M satisfies properties 
(2) and (3) of the interpretation because all the terms it reduces to satisfy them. 
□ 

A. 5 Proof of theorem [9] (soundness) 

We proceed by induction on the proof oi R;T h M : (B,e). We shall write [V/x] for 
[Vi/xi, Vn/xn]. Suppose T = xi : Ai, . . . , Xn ■■ An, R h T and R' > R. We let R' \- Y e 
R\-T stand for R' h Vi e R h (^^,0) for i = 1, . . . , n, where V = Vi, . . . , K- 

• Suppose r = xi : Ai,...,Xi : Ai,...,Xn : An, R;T \- Xi : (Aj,0), R' > R, and 
R'hV e R±_r. Then [V/x]xi = Vi and, by hypothesis, R' h Vi € R h (^^,0) . 

• Suppose R;Th * : {1,(1}), R' > R, and i?' h V e RhF . Then [V/x]* = * and we know 
that R'h*e Rh (1,0). 
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• Suppose R;Thr : (Reg^5, 0), R' > R, and R' h V e RhT . Then [V/x]r = r and we 
know that R' hr £ Rh (Reg,,5,0). 

• Suppose R;Th M : {A', el) is derived from i?; T h M : (A, e) and R h e) < (A', e'). 
Moreover, suppose R! > R, and i?' h V G h F . By induction hypothesis, R' h 
[V/x]M G h (A, e). By proposition [T^subtyping), we conclude that R' h [V/x]M G 

• Suppose R;T\- Xx.M : {A B, 0) is derived from R;T,x : A h M : {B, e). Moreover, 
suppose R' > R, and i?' h V G R\-T . We need to check that R' h A3;.[V/x]M belongs 
to h (A 5, 0). Namely, assuming R" > R' > R and R" h V e Rh {A, 0), we have 
to show that R" h [Y/x]{Xx.M)V G R h {B,e) . We observe that R";h [V/x](Ax.M)F : 
(-B, e) and that, by weakening R' to ii" and induction hypothesis, we know that R" h 
[V/x, y/x]M G i? h {B,e). Then we conclude by applying proposition [T]^ expansion 
closure) . 

• Suppose R;T\- MN : {B, eiUe2Ue3) is derived from R;T \- M : {A ^ B, 62) and R;T h 
N : (A, 63). Moreover, suppose R' > R, and i?' h V G h T . By induction hypothesis, 
we know that R' h [V/x]M G Rh {A^ ^,62) and R' h [V/x]Af G R h (^,63) . We 
have to show that: R' h [Y/x]{MN) £ Rh {B,ei U 62 U 63). Suppose R" > R' . Then 
\V/yL]M,R{R") normalizes to Xx.M',R{R") for some value Xx.M' and [V/x]iV, 
normalizes to V,R{R") for some value V. Further, by reduction closure, we know that 
R" h Xx.M' G {A^B,e2) and R" \- V £ {A, 63). It is easily checked that the 
latter implies R" h V £ (A, 0). By condition (3) of the interpretation, we derive that 
R" h {Xx.M')V £ Rh iB,ei) which suffices to conclude. 

• Suppose R;r\- set{M, N) : (1, ei U 62 U {r}) is derived from R;T \- M : (Reg^A, ei) and 
R;T \- N : {A, 62). Moreover, suppose R' > R, and R' \- Y £ R\-T . By induction hy- 
pothesis, we know that R' h [V/x]M £ Rh (Reg,,A, ei) and R' h [V/x]7V G h (A, 62). 
Then for any R" > R', [Y /yi]M,R{R") normalizes to r,R{R") and [Y /:>^]N,R{R") nor- 
malizes to V,R{R") where i?" h V G h (A,0) . Suppose R = Ri,r : A, R2. By 
definition, R{R"){r) = {V \ R" h G i?i K (A,0)}. By proposition [T^restriction) , we 
know that if R" h V £ Rh (^,0) then R" h V £ Ri h (AJ) . Therefore, V £ R{R"){r), 
and the assignment normalizes to *,R{R")ir). It follows that R" h [V/x](set(Af, A^)) 
belongs to i? h (1, ei U 62 U {r}). 

• Suppose R;T \- get(M) : {A,eU {r}) is derived from R;T h M : (Reg,,A,e). More- 
over, suppose R' > i?, and R' h Y £ R\- T . By induction hypothesis, we know that 
R' h [V/x]M G h (Reg^A,e) . Then for any R" > R', [V/x]M, normalizes 
to r,R{R"). Thus get([V/x]M),i?(i?") will reduce to V,R{R") where F G R{R"){r) 
which is not empty by proposition [7|^not-emptiness). Suppose R = Ri,r : A, R2. We 
know that R" \- V £ Ri h {A, 0) and by proposition [7^ extension) we conclude that 
R"hV £ Rh- (A,0) . □ 

A. 6 Proof of corollary [10] (termination) 

(1) By definition, if R \- M £ Rh {A,e) then i?; h M : {A,e). On the other hand, as a 
special case of theorem [9l if R;\- M : {A, e) is derivable then R\- M £ R\- {A, e). 



19 



(2) Suppose we have R; h Mi, . . . , M„ : e. Then we have R; Mi : {Ai, ei) for i = 1, . . . , n. 
By theorem [9l the evaluation of Mi , R{R) is guaranteed to terminate in Vi , R{R) , for some 
value Vi. Now any reduction starting from Mi, . . . ,M„ can be simulated step by step by a 
reduction of Mi, . . . , Mn,R{R) and therefore it must terminate. □ 

A. 7 Decomposition for the timed/synchronous system 

Recall that h'^-'^ denotes provability in the effect-free system. 

Proposition 13 (decomposition extended) If M : A is a well-typed closed thread 
then exactly one of the following situations arises where E is a time insensitive evaluation 
context: (1) M is a value; (2) M = -E[A] and A has the shape {\x.N)V , set(r, y), orget(r); 
or (3) M = E'[£"[A] > N] and A has the shape V, {\x.N)V , set(r, V), or get(r). 

Proof. By induction on the structure of M. We consider in some detail the case for the 
else-next (cf. proof [ATT] for other cases). 

Ml M2 We apply the inductive hypothesis to Mi, and we have three cases: (1) Mi is a 
value, (2) Mi = Si[Ai] with Ei time insensitive, and (3) Mi = ^1(^2 [Ai] > iV] with Ei 
time insensitive. We note that in each case we fall in case 3 where the insensitive evaluation 
context is [ ]. □ 

A. 8 Basic properties for the timed/synchronous extensions 

Proposition 14 (basic properties, stratified extended) The following properties hold 
in the stratified, timed/ synchronous system. 

vi^eakening If R;T h M : {A, e) and R, R' h T, T' then R, R'; T, T' h M : {A, e). 

substitution If R;T ,x : A'r M : {B,e) and R;T h N : (^,0) then R;T h [N/x]M : {B,e). 

context substitution If R;T,x : A h E[x] : {B,e) where x is not free in the evaluation 
context E and R-T N : {A, e') then i?; T h E[N] : {B,eU e'). 

subject reduction If R,R';T h M, 5 : (B,e), i? h e, and M,S ^ M' , S' then R,R';T h 
M',5" : (B,e), S\dom{R') = S[^omiR')' o-nd M., S\dom{R) ^ S'\dom{R)- Morcovcr, if 

M = M and R,R' h M : {A, e) then M' = M' and R, R'; h M' : {A, e). 

tick reduction If R;h- M,S : (B,e), and M,S ^ M',5' then S = S' and there is an 
effect e' such that R; h M', 5 : (B, e'). 

Proof. 

w^eakening/substitution The proofs of weakening and substitution proceed as in the proof 

context substitution We note that a proof of R;T \- M : (A, e) consists of a proof of 
R-jT \- M : {A',e'), where R h {A',e') < {A,e), followed by a sequence of subtyping 
rules. To prove context substitution, we proceed by induction on the proof R;T,x : A\- 
E[x] : (B, e) and by case analysis on the shape of E. 
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subject reduction To prove subject reduction, we start by noting that R;x : A\- E[x] : 
{B, e) then R;x:A\- red{E)[x] : {B, e). In other terms, the ehmination of the pending 
else-next branches from the evaluation context preserves the typing. Then we proceed 
by analysing the redexes as in proof [Al2l 

tick reduction The interesting case is when M = £'[£^'[A] A^], E is time insensitive, A has 

tick 

the shape V or get(r), and M > E[N]. Suppose R;\- M : {A, e). Then the typing of 

the else- next guarantees that R; h E'[A] : {B,ei) and i?; h iV : (i?, 62) for some B, 61,62 
where ei and 62 may be incomparable. Then we can conclude R; h E[N] : {A, e') where 
the effect e' is contained in dom{R) but may be incomparable with e. □ 

A. 9 Proof of proposition [11] (simulation) 

(1) A straightforward induction on the typing. 

(2) Immediate extension of step (1). 

(3) First we check that the translation commutes with the substitution. Also, we extend 
the translation to evaluation contexts, assuming ([]) = [ ], and check that {E) is again an 
evaluation context. Then we proceed by case analysis on the reduction rule. 

(4) Every reduction in P corresponds to a reduction in (P). □ 

A. 10 Proof of proposition [12] (type fixed-point, revisited) 

The proof is a variation of the one for proposition [5] Suppose r : A B G R (hence r ^ e). 

Then R;\- Xx.get{r)x : {A — ^ 5,0). By proposition [H^substitution), R;r h M' : {A -y 

B, $) where M' = [Xx.get{r)x/ f]M . From this we derive: R;T h M" : {A B,{r}) where 
M" = get{vegj.Xx .M' x) . This judgement can be weakened to R;T,x : Ah M" : {A B, {r}) 

eU{r} 

which combined with R;T,x : A \- x : {A, 0) leads to i?; F h \x.M"x : {A > B, 0) where 

\x.M"x = fixr/.M, as required. □ 

B Summary of syntax, operational semantics, and typing rules 

Table [1] summarizes the main syntactic categories, the evaluation rules for the computation 

tick 

within an instant (relation — >), and the rules for the passage of time (relation >). Table 

[2] summarizes the typing rules for the unstratified and stratified systems which differ just in 
the judgements for region contexts and types. 
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Syntactic categories 



x,y, ■ 
r,s,.. 
e,e', . 
A :■- 
Q ::= 
R :■- 

r 

M :■- 
V :■- 
v,v', . 
S :■- 
X :■- 
P :■- 
E :■- 



1 II Reg,.A II (A 
A II B 

Ai,...,r„ : A. 



A) II {A ^ B) 



ri 



Xl '. Al , . . . , : An 

: X II r II * II Xx.M II MM || get(M) || set{M, M) I M > M || M, M 
r II * II Xx.M 

M II S 
X\X,P 

[ ] II EM II VE II get(£) II set{E, M) \ set(r, -E) || £ > M 

Evaluation rules within an instant 



(variables) 
(regions) 

(finite sets of regions) 
(types) 

(types or beliaviour) 

(region context) 

(context) 

(terms) 

(values) 

(sets of value) 

(stores) 

(stores or terms) 
(programs) 
(evaluation contexts) 



E[{\x.M)V] red{E)[[V/x]M] E[get{r)], {r V) ^ red(E)[V], {r <= V) 

P ^ P' 

E[set{r, V)] red{E)[*], (r <= V) P, P" P',P" 

Rules for the passage of time 

A4 = iJ[get(r-)] E time insensitive 



V 



M ^ M 



M = E[E'[A] > TV] E time insensitive A ::= V || get(r) 

M E\N] 



S^S 



Pl,P2 7^ P^^P| i = l,2 
Pl,P2^Pl,Pi 



Table 1: Syntactic categories and operational semantics 



22 



Unstratified region contexts and types 

RiA Ria eC dom{R) r : A e R 



Rll RIB RK^A^a) Ri Reg^A 

Vr g dom{R) R j R{r) Rh Rja R\- a e C dom{R) 



Rh Rha Rh{a,e) 

Stratified region contexts and types 

R\- A r ^ dom{R) RV- RV- 



0h R,r:AV- Rhl i?hB 

h r : A G i? R^ A R\- a eC dom{R) R\- a e C dom{R) 



R'rReg^A R\-{A^a)n R\- {a,e) 



R'r a 



R\- a < a 



SUBTYPING RULES 

Rh A' < A R'r a < a' R\- a < a' 

eCe' C dom{R) e C e' C dom{R) 



h (A ^ a) < (4' a') i?h (Q,e) < (a',e') 



Terms, stores, and programs 
_R|-r x:A£T RhV r:AeR i? h T 



R;r h X : {A,<D) i?;rhr:(Reg,.A,0) i?;rh*:(l,0) 

R-r,x : Ah M : {a,e) R;r h M : (A ^ a, ei) i?; T h iV : (A, 63) 



R;Th Xx.M : (4 a, 0) i?; T h MN : (a, ei U 62 U 63) 

R-FhM : (Reg,A,e) i^; T h A/ : (Reg.A, ei) i^; T h iV : (A, ea) 



i?; r h get(M) : (A, e U {r}) i?; T h set(M, Af) : (1, ei U ea U {r}) 

i?;r h M : (yl,e) i?; T h iV : e') i?; T h A/ : (a, e) i? h (a, e) < (a', e' 



R;r\- M>N ■.{A,e) R-T \- M : {a , e') 

r:AeR yV ev R-rhV -.{A,?)) i?;r I- X, : (Q,,eO i = l,...,n>l 



7i; r h (r ^ ■;;) : (B,0) i?; T h Xi, . . . , X„ : (B, ei U ■ ■ ■ U e„) 

Table 2: Typing systems 
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